TypeBot Stored Cross-Site Scripting Vulnerability via JavaScript URI in Bubble Links

A stored cross-site scripting vulnerability has been identified in TypeBot versions prior to 3.16.0. The issue arises in the Typebot viewer, which processes anchor tags from rich text bubble content without properly filtering JavaScript URIs. This allows bot authors to inject links that execute arbitrary JavaScript in the context of the visitor's browser. Since the viewer is often embedded in third-party sites, this injected script can run in the host page's origin, potentially exfiltrating cookies and session tokens. Consequently, any authenticated Typebot user, including those on the free tier, can create a bot with such a payload, which would then be publicly accessible without requiring victim authentication.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log in to TypeBot as an authenticated user. Create a new bot and add a Text Bubble block. In the rich text editor, enter link text and set the URL to a JavaScript payload, such as one that fetches cookies from the browser and sends them to an external server. After publishing the bot, open the live or embedded viewer and click the link. This will trigger the JavaScript execution, exfiltrating cookies to the specified server.

Remediation

Users can update to TypeBot version 3.16.0 or later, where this vulnerability has been fixed.